Link to home
Start Free TrialLog in
Avatar of Enlightx

asked on

Active Directory issues main server failing

currently have a network setup with the following servers

Computer name               OS
Server                                 Windows 2003 SBS
Data                                    Windows 2003 Std
Exchange                           Windows 2008 Std running exchange 2010

i have been migrating exchange from server to exchange servers as well as moving DHCP, DNS and active directory roles.
server (2003 SBS) is now hardware failing so i was hoping to get the server down and removed from the directory.

Currently having lots of issues with the active directory to the point were if Server is offline no computers can login even thought all roles have been moved to Exchange.

I have attached a dcdiag which was run on the exchange server.  looks to me like DNS entrys are wrong but need help working it out.
Avatar of sinfocomar

An error such as Fatal Error:DsGetDcName can be caused by various reasons.

Please post:
How many DCs in the forest?
An unedited ipconfig /all from the DCs and from a sample workstation
Any Event log errors?  - We'll need the EventID# and the Source Name in the errors. You can use the copy/paste function in the event viewer.
What operating system and service pack level are the server?
Another error I saw was no GC Global Catalogs found.

It is not best practice to make your exchange server a DC

As the post above asked

How many DC's you have?

run dcdiag on all and post.
Avatar of Enlightx


i was just going to post them up for you but "server" has gone down again killing the other server in the process.  

Cannot get access to "server" untill tomorrow now to get it and "data" back online.

my plan was to get "exchange" running the network and then when all is quite then replace "data" which would then be the future main DC leaving exchange alone to do its thing.

i think the main thing i need to sort is why the network refuses to see "exchange" as a DC for logins if i can sort this at least i can get the network up and running as "server" is powering down every 4 - 5 hours currently dont think its gonna last much longer

to note in total 3 DC servers all set as global catalog, i have moved FSMO roles to exchange but rest of network does not seem to recogise this and is still trying to go to "server"
managed to get one of the data server online as well as a client to login attaching ipconfigs and dcdiags from them as well

When pinging upandunder.local on client and data server

both report (which is faulty server which is currently offline)

pinging upandunder.local on exchange server points to itself (

how do i update DNS server to point correctly?
Well your DNS server entry is not correct on exchange.  is not a valid DNS server entry.

Your other computer data has for the DNS server   who is ?

The Two DC's  other than exchange should also be running DNS

Do not put any AD roles on Exchanges Server Not good Practice

Again do not make exchange a DC
i have now changed DNS entry to (itself thought i was okay with is "exchange"

other 2 DCs are soon to be replaced ("server is failing/failed) so didnt see point in having DNS on there when its running on "exchange"

in regards to running AD roles on exchange server this is only a temporary measure while other server is migrated. what are the down sides to doing this?  i dont plan on leaving it this way permanently.
Ok I see

Lets see if computers can logon to the AD now.

They are all using DHCP correct? pointing to for DNS
All Clients are using DHCP and DHCP sets as DNS server

iv tried to login using a client and it does seem to login after a while.

also takes a long time to logout also

pinging upandunder.local from the client comes back as (data DC server not exchange)
if i then run ipconfig /flushdns

it then comes back as
Post ipconfig /all from that computer
Windows IP Configuration

        Host Name . . . . . . . . . . . . : oem-4a3b72d24f4
        Primary Dns Suffix  . . . . . . . : upandunder.local
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : upandunder.local

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : upandunder.local
        Description . . . . . . . . . . . : Realtek RTL8168D(P)/8111D(P) PCI-E G
igabit Ethernet NIC
        Physical Address. . . . . . . . . : 00-25-22-81-52-01
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . :
        Subnet Mask . . . . . . . . . . . :
        Default Gateway . . . . . . . . . :
        DHCP Server . . . . . . . . . . . :
        DNS Servers . . . . . . . . . . . :
        Lease Obtained. . . . . . . . . . : 19 May 2014 19:35:27
        Lease Expires . . . . . . . . . . : 27 May 2014 19:35:27

to note: early uploaded file ipconfig -client was incorrect file that was from exhange server
try this

ipconfig /all >c:\ipcfg.txt

that will save it to a file then copy it to the computer you are using for this site attach the file
file attached.
was a DNS server before?

If so are the DNS server services still running?

Another thing what is Cisco?

Check to see what DNS settings are in that device was once a DNS server as a backup but has since been removed is company ADSL router (DHCP Disabled)
its used as a gateway and also for external DNS requests

to note running DCDiag on the server still says no GC servers are available its as if even the server itself cannot see it self

Check the ADSL router for its local network settings make sure its local lan connection is pointing and not

I would flush dns on the router I  believe it still has cached

Are you sure the Exchange server has been made a GC double check that.
How do I check exchange is running as gc ?

Box is ticked when I right click computer in sites and services
try this

 dsquery server -isgc
get this back as the result :


i have also changed external DNS lookups now to google incase of adsl router causing issue.
looking deeper into things it looks like i have no netlogon on the 2 working servers !  This would explain why clients are having a hard time logging in when only these 2 servers are online.

When running dcdiag /test:netlogons

Windows 2008 machine fails on
unable to connect to the netlogon share! (\\exchange\netlogon)
[exchange] an net use or LsaPolicy operation failed with error 67
the network name cannot be found

Windows 2003 machine fails on
Unable to connect to the netlogon share! (\\data\netlogon)
[data[ an net use or lsapolicy operation failed with error 1203, win 32 error 1203

it looks like the main server (which is now badly failing due to faulty HDD and overheating issues) is not replacting to the other servers because of this.

what should i do ?
run this netdom query FSMO

Are you sure the roles transferred to exchange?

check DC -> NTDS settings    what do you have there?
You need to implement your contingency plan pronto. You can't even think of doing anything before backing up that server and replacing it. Image the HDD to a new one and get a server that doesn't overheat. I do not recommend working on the AD records without having a stable hardware platform in place.

Afterwards you can check who has what role, whats missing, etc...
theres no hard data on the server this has all been moved away.

can you recommend a method for backing up the active direcory?

both of the other DC seem to have replicated all usernames passwords etc okay just seems like netlogon and GC stuff is not going.

Looks like there has been some DNS issues in the past which im sorting out atm then i think to get replication running okay then ill move the FSMO roles again (moved them back to original server for now to get network up and running)

have also sent someone out onsite to stop old server overheating and crashing :)
iv now got DNS workin correctly on all 3 DCs and they can all see each other correctly and DNS tests all pass (they didnt before)

currently trying to sort the netlogon issues with the data server as there are no sysvol or netlong shares there

if i can get this server working i can then move all fsmo roles to this server

running dcdiag /test:netlogons  i get the following

Doing primary tests

   Testing server: Default-First-Site-Name\DATA
      Starting test: NetLogons
         Unable to connect to the NETLOGON share! (\\DATA\netlogon)
         [DATA] An net use or LsaPolicy operation failed with error 1203, Win32
Error 1203.
         ......................... DATA failed test NetLogons
Good job. You should transfer all Active Directory roles. After that you can discard the old server with or without dcpromo delete If you remove it while its still active, I guess its a cleaner process.
problem is i have no netlogon os sysvol on any server other then failing server.

so even if i do move fsmo roles clients still wont be able to logon.

trying every fix i can find that error 1203 and cannot get share folders to appear
Did you install the feature NTFRS on the 2008 servers which is used in 2003 domains to perform sysvol replication?

Run repadmin /showreps and post output

NFRS is under the role file services - add role services - windows server 2003 file services (file replication service)
just installed the role in 2008 server (to note data server is 2003 currently main objective is to get that running the network i can worry about the 2008 which is running exchange server later)

didnt know which server you wanted repadmin /showreps running from so attached all 3
After installing NFRS, run the following command on all servers

ntfrsutl ds |findstr /i "root stage"
Exchange :
Root      : c:\windows\sysvol\domain
Stage     : c:\windows\sysvol\staging\domain

Server :
Root      : c:\windows\sysvol\domain
Stage     : c:\windows\sysvol\staging\domain

Data :
Root      : c:\windows\sysvol\domain
Stage     : c:\windows\sysvol\staging\domain

(i didnt install anything on 2003 servers for NFRS i take it this is correct?)
No need to install anything on 2003 server.

Any errors in event on 2008 servers?
from what i can see i was getting file replication warnings from server to exchange but these stopped an hour ago and nothing since then

getting some MSexchange ADAccess errors
Process MAD.EXE (PID=1236). Exchange Active Directory Provider has discovered the following servers with the following characteristics:
 (Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)
SERVER.upandunder.local      CDG 1 7 7 1 0 1 1 7 1
data.upandunder.local      CDG 1 7 7 1 0 1 1 0 1
EXCHANGE.upandunder.local      CDG 1 7 7 1 0 1 1 0 1
Good. Do you have the shares now?

no still no shares :(

Server has sysvol & netlogon

exchange has sysvol

data has nothing

do you think running DC promo on data to remove it as a DC then running again might help?
You need to get replication working between data and exchange.

Do not dcpromo until exchange AD is working correctly
right just performed a reboot on the exchange server.

get the attached event

when i browse to \\upandunder.local\
it looks like its going to the \\data share which doesnt have a sysvol or netlogon so cannot get the GPO
On your 2008 servers.
    1. Stop NTFrs Service.
    2. Delete "dns domain name" folder from c:\windows\SYSVOL\staging areas.
    3. Create the junction point by running the following command: mklink /J "c:\windows\syslog\staging areas\dns domain name" c:\windows\sysvol\staging\domain
    4. Delete the "dns domain name" folder from c:\windows\SYSVOL\sysvol.
    5. Create the junction point by running the followign command: mklink /J c:windows\sysvol\sysvol\dns domain name c:\windows\sysvol\domain
    5. Start the NTFrs service

Check for errors in Event
when running

mklink /J "c:\windows\syslog\staging areas\dns domain name" c:\windows\sysvol\staging\domain

in cmd line getting the following
The system cannot find the path specified.
also tried the following with same effect

mklink /J "c:\windows\syslog\staging areas\upandunder.local" c:\windows\sysvol\staging\domain
Did you change "dns domain name" for your own?


mklink /J "c:\windows\syslog\staging areas\upandunder.local" c:\windows\sysvol\staging\domain
got the command working now and restarted ntfrs

no errors as of yet but also no netlogon share
Here I found this that might help you
Seems to be damaged beyond what I initially estimated. Lets reset the whole tree to be sure.

Did you at least get the Sysvol share back?
yeah already got the sysvol share back a few days ago on exchange

nothing at all on data (windows 2003 std)
Can you add another DC, a temporary one to hold the roles and to work on? 2003 if possible
Yeah it's possible I suppose

Let me see what I can sort out
Avatar of sinfocomar

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Try this before putting another server in or after ?
I'd do it after and on the temp server
okay im off the next 4 - 5 days so ill get something plumbed in next week.

in mean time should i backup from the old server using NTBackup to backup the Active D ?
I'd download a trial version of Backup Exec for a complete backup and later easy restore.
Just an update iv managed to get replication working correctly now :) and data server does indeed have netlong and sysvol shares. waiting on exchange server to replcate and hopefully that will have them as well.  Then i can get on with moving FSMO roles and getting failing server offline

what i did was run the following on the failing server on the network

To fix the problem, you must designate a domain controller to be authoritative for the Sysvol replica set:
1. Stop the File Replication service on the PDC emulator FSMO role holder.
2. Use the Registry Editor to navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Paramaters\Backup/Restore\Process at Startup.

3. Double-click the BurFlags Value Name, a REG_DWORD data type, and set the data value to D4, using the Hex radix.
4. Exit the Registry Editor.
5. Start the File Replication service.
Excelent! Sounds promising.